Cyberattacks: minimising exposure and dealing with the aftermath

When it comes to tackling cyberattacks, it is important for financial organisations to realise that cybercrime can’t be dealt with in isolation by the IT department. Traditional security measures, such as anti-virus software and firewalls, are increasingly unlikely to be able to deal with the growing sophistication of modern cyberattacks. The increase in risk means it is more important than ever for businesses to deal with any threats quickly for many reasons, including legislative requirements, the possibility of significant brand damage and financial fines.

As more financial organisations continue to turn to technology to help their business operate, and with financial technology (fintech) investment growing 177% in the first quarter of 2014, the tech uptake means that there is now a greater danger of cyber threats as there are more avenues available for attackers.

Failure to mitigate this threat could mean sensitive financial data is at risk. Even with the best security technology in place, there are still plenty of channels for cyberattackers to exploit. Take for example social engineering – a technique whereby cyber criminals can, for instance, insert links or attachments into an email, which when clicked on by the user gives them access to sensitive data.

Following an attack, it is necessary to assess what has happened, which sensitive data has been breached, the systems that have been infected, and so on. But, what is more important, according to the Information Commission Office (ICO), is the assessment of the possible consequences, including how serious these are and how likely they are to happen.

An in-house or external incident response (IR) team will then begin their investigation to collect all the necessary data, as well as review traffic, network activity and various log reports. This work involves collecting all essential security data and working backwards to find Indicators of Compromise (IoCs) and then using forensic methods such as the seven-step Lockheed Martin ‘Cyber Kill Chain’ to put everything into context. The Cyber Kill Chain – which is considered industry best practice and used by many organisations – or a similar approach, helps organisations attempt to identify how the attack happened, what the full impact is, and how to resolve it.

Discovering an attack

Once a business has discovered that a cyberattack has taken place – and on average it takes the IR team 206 days to detect a breach – they then attempt to contain the issue, learning from it, and trying to prevent any further breaches. If the attack is left undiscovered for too long, then often the damage already done is likely to increase.

In most cases, it will take an organisation between 21 and 35 days from the initial detection of a data breach to carry out analysis of the networks and resolve the issue. A major reason for this delay is that perennially understaffed investigative teams typically need to manually hunt for IoCs through a vast amount of log data across a disparate range of logs, reports and packet captures.

Despite this, the log data set often paints an incomplete picture of the attack. With this massive window of opportunity, cyberattackers generally have plenty of time to not only act on their objectives, but to cover their tracks as well. By the time the attack is detected, a great deal of the incriminating evidence has either been removed or can no longer be found in security logs.

Minimising the damage

Depending on the size and budget of the company, and how seriously they approach cybersecurity, the responsibilities for IR teams can vary from business to business. Members are tasked with the delicate balancing act of completely removing the threat as quickly as possible with the need to maintain operations. This is particularly challenging for financial businesses, which have customers and clients relying on them. Few companies can afford to grind to a complete halt online; therefore they must aim to quarantine vulnerable or compromised systems to prevent the attack from spreading.

If the attack is on a large enough scale to disrupt an organisations entire service, for example if it was a DDoS attack, then the main objective would be to resume full operations as quickly as possible whilst simultaneously stopping and securing against future attacks. These type of attacks can result in substantial revenue losses. In recent high profile distributed denial of services (DDoS) attacks, even a relatively short outage was enough to result in a significant impact in terms of both costs and customer confidence in the brand. The financial ramifications can be vast; as evidenced, for example, by the £56m fine imposed on Royal Bank of Scotland (RBS) in November 2014 by UK regulators for a 2012 software glitch that prevented many customers from being able to withdraw money.

Once the scale of the attack is determined, the business must then decide who needs to be notified, and use their local ICO guidelines to decide if the attack must be made public. The ICO encourages that the more serious breaches be brought to their attention. Organisations need to be aware that UK laws aren’t the only guidelines they need to keep up-to-date with; further regulation and compliance changes such as European Union’s General Data Protection Regulation (EU GDPR) – which is being adopted this spring, with enforcement to follow in spring 2018 after a two-year transition period – and more recently the transatlantic data privacy regulation, Privacy Shield, that was agreed between the EU Commission and the US in February.

Where to start?

Security analytics and network forensics both offer a good place starting point. These solutions, which record traffic passing through the network, are able to automatically categorise it for in-depth analysis. More advanced solutions enable capabilities, such as threat scanning and alerting and session re-construction, to enable companies to see the actual infected file that led to the attack. Meanwhile, network forensics plays a vital role in defending advanced attacks, because it allows all the information related to the attack to be viewed in a single place.

Another security mechanism is sandboxing, which is a quarantine technique that helps IR teams resolve breaches by identifying the threats that have evaded the more traditional defences, such as anti-virus and firewalls. Sandboxes enable organisations to censor files coming into the network and declare them as ‘safe’ before they get passed through signature-based perimeter security controls. Many network security tools lack the ability to scan for threats inside of encrypted traffic, so implementing encrypted traffic management capabilities enables companies to decrypt traffic and forward it to other network security tools for scanning.

The task list

While these tools can help IR teams deal with incidents, before being able to declare ‘all clear’, there are a number of steps a company must take. Firstly, identifying the full scope of the attack and what has been lost. Secondly, then distinguish whether the method of attack and point of compromise has been stopped along the kill chain. Next, determine whether the data has stopped being leaked or the infection is no longer spreading. Then, finally, make an inventory of all infected systems and if the team has been able to restore them back to normal, preventing any chance of a recurrence. Once these steps are complete, the all clear can be given.

For financial services professionals, it is important to keep up-to-date with cyberattack trends and to know what to look for; particularly as according to a Financial Times report the financial sector suffering 300% more cyberattacks than any other industry. This is particularly important for social engineering techniques that can be used to trick someone into allowing a cyberattack to propagate.

Financial firms need to encourage and understand the development of internal cybersecurity policies to ensure that threats are minimised as quickly as they appear. They must assume that their IT systems will be compromised at some stage – and it is the processes put in place that will affect how they deal with the compromise. Investing in the right technology, such as security analytics, implementing strong cyber governance processes and developing IR teams, is essential for firms looking to boost their cyber-security capabilities. Without any of this, the door is wide open to cybercriminals.


Related reading